How to Tame the Social Network at Work

They're a productivity sink and a bandwidth suck. They're a vector for malware and a gift for corporate spies. They're a data spill just waiting to happen. And like it or not, they're already inside your enterprise.

Meet the Social Network. No, not that movie about Mark Zuckerberg -- the real social network, from Facebook and MySpace to Twitter and Flickr, used by your coworkers and colleagues every single day, whether they're officially allowed to or not.

But social networking inside the enterprise is not only inevitable, it's essential. Used correctly, social media can help your company solve problems, burnish its public image, recruit top talent, and generate ideas. Implemented poorly -- or worse, ignored -- and it can create a world of pain.

You can get on the social bus, or you get dragged behind it -- your choice.

Taming the social network: With friends like these, who needs enemies?

What could go wrong with giving unfettered access to social networks at work? Plenty. Even if you manage to keep employees from spending all day milking cows and harvesting crops in Farmville, a host of other potential threats lurk just below the surface.

Take bandwidth, for example. Social media is consuming ever increasing amounts of network resources, according to Palo Alto Networks' Application Usage and Risk Report. While the number of social media apps found on corporate networks has remained relatively stable over the past year, the bandwidth these apps consume has more than doubled and is expected to grow even more.

"Social media traffic is massive," says Rene Bonvanie, vice president of worldwide marketing for the network security vendor. "We see the bandwidth demands going up substantially through social media apps. In many cases, it does conflict with business systems in these organizations, which could lead to continuity issues."

Worse, because they're based on trust, social networks have become very effective vectors for spreading malware, says Sarah Carter, chief strategy officer for FaceTime, a maker of Web 2.0 security tools -- much more so than, say, email.

"We're well trained in the email and traditional Web world," Carter says. "We don't click on .exe attachments or URLs that look suspicious -- heck we probably don't even see them anymore because of our spam filters. But in the world of social networking, where the person we're receiving the message/notification from is inside our trusted network of people, we're more susceptible to just plain clicking on that link and infecting ourselves."

According to Panda Security's Social Media Risk Index PDF, one-third of small-to-midsize businesses have suffered a malware infection initiated through social media, with Facebook as the leading source. Malware threats once thought of as nearly extinct have made a rousing comeback in business environments, thanks to overly trusting social networkers.

Yet the biggest threat is probably the accidental data leak, wherein well-meaning employees tweet details of secret projects they're working on, "check in" to meetings between two companies on a verge of a confidential deal, or post status updates that mention internal problems at the company. It's not quite on the scale of, say, losing a prototype iPhone in a bar, but employee social media gaffes can cause your organization everything from public embarrassment to legal liabilities.

"I can't begin to tell you how many times companies come to us because they've discovered their employees were using social networks that compromised sensitive data," says Mike Logan, CEO of Axis Technology, a vendor of data masking products. "A P2P network or a social network like Facebook that collects info is pretty much the equivalent of digging a tunnel right into a company's data center."

In Proofpoint's seventh annual study of outbound communications security, conducted by Osterman Research in July, one in five organizations reported losing confidential or sensitive information via social networks -- a figure Osterman acknowledges is probably lower than the actual number. In the past 12 months, 20 percent of companies surveyed have disciplined employees for violating company policies on social networking, while 7 percent have terminated people for their actions on social nets.

It gets worse. If your employees post proprietary information on a site like Facebook, whose legal terms claim ownership over any data shared on its network, you may lose control over your company's intellectual property.

"It all boils down to what is written in the terms of service," says Carter. "These differ between the different social networks, which creates its own problems. Having proprietary data residing on a social network should absolutely create concerns for enterprises, especially if that data is not stored anywhere else. Enterprises should look at their record retention policies and not rely on Facebook, LinkedIn, or Twitter to store that data for them."

Taming the social network: Block social media at your peril

From an IT perspective, an understandable response to social media is to block it and forget about it. Depending on the survey, some 30 to 50 percent of organizations polled say they ban employees from using Facebook, Twitter, LinkedIn, and other popular social media sites at work. Simply add facebook.com and twitter.com to your list of forbidden URLs and get back to the real work at hand, right?

Wrong, says Palo Alto Networks' Bonvanie. Most companies are in denial about how much their employees are using social nets, as well as what they can do to stop it.

"You ask some IT people about social media and they'll say, 'Nobody's using Facebook on our network,' or, 'They can't use it because we're using IPS or URL filtering to block it,'" Bonvanie says. "In both cases, those IT people are completely wrong. We see massive penetration of social media in the enterprise."

How massive? Palo Alto Networks has detected Facebook use on 92 percent of the 347 enterprise networks it surveyed last spring. Twitter was detected on 87 percent of corporate nets; LinkedIn and MySpace, 83 and 82 percent, respectively.

When IT has taken steps to block access to Facebook and other social sites on the network, users invariably find a way around those barriers, says Bonvanie.